Quoting some documentation that I’m in the process of writing:
- Offering a specified certificate on a web site
This method is called the TLS-SNI-01 challenge. In this challenge, the certificate authority will expect a specified digital certificate to be provided by the web server in response to an HTTPS request using a particular made-up domain name. The request will be made using HTTPS on TCP port 443. You cannot choose a different port number.
This certificate is a self-signed certificate created by Certbot. You use it only temporarily to prove your control over a domain name. It’s not the same as the certificate for your site that will later be issued by Let’s Encrypt once you’ve proven that you control the site.
Common problems with the TLS-SNI-01 challenge:
You aren’t running Certbot on your web server
Most people should install and run Certbot on their web server hosting their website, not on their laptops or some other computer. While you can use Certbot in manual mode on a laptop and then separately set up the appropriate files on your webserver, it’s not likely to be the most convenient way to get a certificate for most users.
A domain name you’re requesting a certificate for isn’t correctly pointed at that web server
In most cases, every name you’re requesting a certificate for should already exist and be pointed to the server where you’re requesting that certificate. (Some alternatives exist for complex network configurations, but they’re the exception rather than the rule.)
You’re using a content delivery network (CDN)
TLS-SNI-01 doesn’t work with CDNs (like CloudFlare and Akamai). You have to use a different challenge type. (This is a special case of the previous problem: the domain name is pointed at the CDN, not directly at your server.)
A firewall is blocking access to port 443
The certificate authority needs to be able to connect to port 443 of your server in order to confirm that you satisfied the TLS-SNI-01 challenge. So that needs to be publicly reachable from the Internet, and not blocked by a router or firewall.
(With apache plugin)
Certbot thinks you’re running Apache, but you aren’t running it, or you’re running a different server of some kind on port 443
(With apache plugin)
You have more than one virtualhost defined within a single configuration file in
/etc/apache2/sites-available (which confuses Certbot; this is a bug which will be fixed in a forthcoming release)
(With nginx plugin)
Certbot thinks you’re running nginx, but you aren’t running it, or you’re running a different server of some kind on port 443
(With apache or nginx plugin)
Certbot doesn’t know how to modify your web server configuration correctly
(With standalone plugin)
You tried to use
--standalone when there was already some other program on your server listening to port 443
Your DNS records aren’t valid
Try checking your DNS records with a tool like the DNSchecker at http://www.dnsstuff.com/ to make sure there are no serious errors. Sometimes a DNS error still allows your site to load in a web browser, but prevents the certificate authority from issuing a certificate.